Insight

Insight Analytics and Audit (Insight) leverages OpenSearch and OpenSearch Dashboard to perform analytics on audit events and log messages aggregated in the Audit Store. Both are distributed as Docker containers that can be hosted on ESAs.

ILM Export

This section outlines the ILM export configuration for various log and metric indices. The objective is to manage the lifecycle of these indices efficiently, ensuring data is archived or deleted as required.

Index	ILM Export Configuration
Audit Log Index	Maximum size: 50 GB Maximum doc count: 50 million Maximum index age: 30 days
Protector Status Logs Index	Maximum size: 150 GB Maximum Doc count: 1 billion Maximum index Age: 365 days
Troubleshooting Logs Index	Maximum size: 150 GB Maximum Doc count: 1 billion Maximum index Age: 365 days
Policy Logs Index	Maximum size: 150 GB Maximum doc count: 1 billion Maximum index age: 365 days
Miscellaneous Index	Maximum size: 200 MB Maximum doc count: 3.5 million Maximum index age: 7 days
DSG Transaction Metrics Index	Maximum size: 1 GB Maximum doc count: 10 million Maximum index age: 1 day
DSG Error Metrics Index	Maximum size: 1 GB Maximum doc count: 3.5 million Maximum index age: 1 day
DSG Usage Metrics Index	Maximum size: 1 GB Maximum doc count: 3.5 million Maximum index age: 1 day

ILM Export Configuration Considerations

Maximum size: Defines the maximum size an index can reach before getting exported.
Maximum doc count: Defines the maximum doc count an index can reach before getting exported.
Maximum index age: Defines the maximum age an index can reach before getting exported.
Conditions: ILM Export occurs when either of the above limits is reached where index entries from the index are removed and archived to a file.

For more information about configuring ILM Export, refer ILM Multi Export.

ILM Delete

Index	ILM Export Configuration
Miscellaneous Index	Maximum size: 1 GB
DSG Transaction Metrics Index	Maximum size: 14 GB Maximum doc count: 100 million Maximum index age: 30 days
DSG Error Metrics Index	Maximum size: 6 GB Maximum doc count: 50 million Maximum index age: 30 days
DSG Usage Metrics Index	Maximum size: 10 GB Maximum doc count: 75 million Maximum index age: 30 days

ILM Export Configuration Considerations

Maximum size: Defines the maximum size an index can reach before getting deleted.
Maximum doc count: Defines the maximum doc count an index can reach before getting deleted.
Maximum age: Defines the maximum age an index can reach before getting deleted.
Conditions: Deletion occurs when either of the above limits is reached.

For more information about configuring ILM Delete, refer ILM Multi Export.

Index Rollover

This section details the index rollover settings for various log and metric indices. Efficient rollover policies ensure high performance and manageability of the indices.

Index	Index Rollover Configuration
Audit Log Index	Maximum size: 50 GB Maximum doc count: 50 million Maximum index age: 1 day
Protector Status Logs Index	Maximum size: 5 GB Maximum doc count: 200 million Maximum index age: 30 days
Troubleshooting Logs Index	Maximum size: 5 GB Maximum doc count: 200 million Maximum index age: 30 days
Policy Logs Index	Maximum size: 5 GB Maximum doc count: 200 million Maximum index age: 30 days
Miscellaneous Index	Maximum size: 200 MB Maximum doc count: 3.5 million Maximum index age: 7 days
DSG Transaction Metrics Index	Maximum size: 1 GB Maximum doc count: 10 million Maximum index age: 1 day
DSG Error Metrics Index	Maximum size: 1 GB Maximum doc count: 3.5 million Maximum index age: 1 day
DSG Usage Metrics Index	Maximum size: 1 GB Maximum doc count: 3.5 million Maximum index age: 1 day

Index Deletion Configuration Considerations

Maximum size: Defines the maximum size an index can reach before rolling over.
Maximum doc count: Defines the maximum doc count an index can reach before rolling over.
Maximum age: Defines the maximum age an index can reach before rolling over.
Conditions: Index Rollover occurs when either of the limits is reached.

For more information about configuring Audit Index Rollover, refer Audit Index Rollover.

Alerting

Create a scheduled task in all the ESAs to monitor and log spikes in CPU, memory, or disk usage that exceed configured thresholds. These logs must be systematically forwarded to the Insight within the ESA.

For more information about configuring alerts, refer Working with alerts.

Requirements

Monitoring Metrics: The task should observe the following system metrics:
1. CPU Usage
2. Memory Usage
3. Disk Usage
Threshold Configuration
1. Define specific thresholds for CPU, memory, and disk usage.
2. Ensure these thresholds can be adjusted as needed.
Log Generation
Generate detailed logs whenever a spike in CPU, memory, or disk usage exceeds the configured threshold.
Log Forwarding
Implement mechanisms to forward these logs to the Insight within the ESA.

Implementation Steps

Script Development
- Develop a script to monitor CPU, memory, and disk usage.
- Incorporate threshold parameters into the script.
Schedule the task using Task Scheduler.
For more information about creating scheduled task using task scheduler, refer Creating a scheduled task.
Logging Mechanism
Use logger library to write logs to syslog.
Test and Validate
- Conduct thorough testing to ensure the script accurately detects and logs spikes.
- Validate that logs are correctly forwarded to and received by the Insight.

By implementing this scheduled task, the ability to monitor system health and respond proactively to potential issues is enhanced, thereby improving overall system stability and security compliance.

Audit Store Dashboards

It is recommended that default dashboards in ESAs are not modified or deleted.

For more information on Protegrity provided dashboards, refer Working with Protegrity dashboards.

Feedback

Was this page helpful?

Last modified : July 30, 2025